MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13468d59ce57b2c059aa39c0ae0a1753c93ce9cae130a23d0ea306f3aaf1773c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13468d59ce57b2c059aa39c0ae0a1753c93ce9cae130a23d0ea306f3aaf1773c
SHA3-384 hash: 3be21b639342600b7ddcc6c43494f5176d2c37ef68f04b9033e3fd861d537193fb99d1a76d27967ecb302a5c073d4261
SHA1 hash: 537611321a98c71ec45fed3bcc54a3ec931d83f4
MD5 hash: 6eda69af77264f25d34f72f094d1d3ea
humanhash: jig-vegan-neptune-fix
File name:Copia del Pagamento_BNL_SEPA.pdf.bat
Download: download sample
Signature MassLogger
Create hunting rule
File size:305'265 bytes
First seen:2025-03-28 13:51:35 UTC
Last seen:2025-04-02 06:15:08 UTC
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 6144:c0K/PMOBJrT+SXJ/2ts+3YtRbto522N92/UZBQnGJgL5SWkhgy:j+MOBJr6SJmMRo522tZqnSiBkmy
Threatray 838 similar samples on MalwareBazaar
TLSH T17654E1611DC4B8EB4E2AEF2A8166166D2393CDFD38B2358C26233FC1977F005952F995
Magika vba
Reporter lowmal3
Tags:bat MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
төлем көшірмесі_Bank centercredit.pdf.tar
Verdict:
Malicious activity
Analysis date:
2025-03-28 05:47:35 UTC
Tags:
arch-exec snake keylogger evasion stealer
Link:
https://app.any.run/tasks/21c8146a-4974-4b6d-b9ac-9c67a0ea87d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Other.Malware-gen.6647.29238.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e6aaab855e5ec52409491d
Tags:
obfuscated xtreme shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd lolbin masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/67e6a98f09c39f5498b66967/reports/eceb4618-5785-4664-9f29-003ea8d68925/overview
Verdict:
Suspicious
Labled as:
EXP/YAV.Minerva
Link:
https://www.hybrid-analysis.com/sample/13468d59ce57b2c059aa39c0ae0a1753c93ce9cae130a23d0ea306f3aaf1773c
Result
Threat name:
MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1651216
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
PowerShell case anomaly found
Powershell drops PE file
Self deletion via cmd or bat file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Suspicious command line found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1651216 Sample: Copia del Pagamento_BNL_SEP... Startdate: 28/03/2025 Architecture: WINDOWS Score: 100 32 reallyfreegeoip.org 2->32 34 checkip.dyndns.org 2->34 36 checkip.dyndns.com 2->36 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Yara detected MSIL Logger 2->48 52 12 other signatures 2->52 10 cmd.exe 1 2->10         started        signatures3 50 Tries to detect the country of the analysis system (by using the IP) 32->50 process4 signatures5 64 Suspicious powershell command line found 10->64 66 Self deletion via cmd or bat file 10->66 68 Suspicious command line found 10->68 70 PowerShell case anomaly found 10->70 13 cmd.exe 1 10->13         started        16 conhost.exe 10->16         started        process6 signatures7 72 Suspicious powershell command line found 13->72 74 PowerShell case anomaly found 13->74 18 powershell.exe 22 13->18         started        process8 file9 30 C:\Users\user\...\qbaOWjiDozBAnZXxOQWui.dll, PE32+ 18->30 dropped 54 Uses ping.exe to check the status of other devices and networks 18->54 56 Writes to foreign memory regions 18->56 58 Creates a thread in another existing process (thread injection) 18->58 60 Powershell drops PE file 18->60 22 PING.EXE 15 3 18->22         started        26 conhost.exe 18->26         started        signatures10 process11 dnsIp12 38 127.0.0.1 unknown unknown 22->38 40 checkip.dyndns.com 158.101.44.242, 49717, 80 ORACLE-BMC-31898US United States 22->40 42 reallyfreegeoip.org 104.21.112.1, 443, 49718 CLOUDFLARENETUS United States 22->42 62 Tries to harvest and steal browser information (history, passwords, etc) 22->62 28 conhost.exe 22->28         started        signatures13 process14
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/13468d59ce57b2c059aa39c0ae0a1753c93ce9cae130a23d0ea306f3aaf1773c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13468d59ce57b2c059aa39c0ae0a1753c93ce9cae130a23d0ea306f3aaf1773c/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2025-03-27 23:50:12 UTC
File Type:
Text
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cndi2wook6zmawnkhhak4cqxkpetz2ok4eykepioumdphkxro46a._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
novastealer
Create hunting rule
Similar samples:
14d370a69c8c075b14a411301bc9137d1db0683ac4ff480d25404d9f81533f66
MassLogger
14f6cc465c16b2b06dca025ac97d6824d0793554b1599b68e401379b4f2cb12a
MassLogger
27be1fda8c87477ab97c0df0ff72311f87a80f404337f1bb269e37dbe266972d
MassLogger
6357866d9a4110843c44f4a4986d50a0af5380f4e185373d062f123d73fe63d9
MassLogger
7e430da9854a73aeac41d86bd6a225ec27cc681188eb70ef5eec80f737a41a91
MassLogger
ced40caee716f956a4db4d96f10daa8b80f6c30371f2490129b6cf212dcfd223
MassLogger
error
MassLogger
f7c651df3bbe493431c583ee9b03a6b3c3f2fc3f6e69dd5d4ea05a75290c2254
MassLogger
f99267a4d305fa5fbbcc6c474c8dc3f0c071e837829db5ec805a67161270d7f1
MassLogger
+ 828 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery execution
Link:
https://tria.ge/reports/250328-q6hjjaymy7/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13468d59ce57b2c059aa39c0ae0a1753c93ce9cae130a23d0ea306f3aaf1773c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Batch (bat) bat 13468d59ce57b2c059aa39c0ae0a1753c93ce9cae130a23d0ea306f3aaf1773c

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments